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Abstract. Continuous Markovian Logic (CML) is a multimodal logic that expresses 
quantitative and qualitative properties of continuous-time labelled Markov processes with 
arbitrary (analytic) state-spaces, henceforth called continuous Markov processes (CMPs). 
The modalities of CML evaluate the rates of the exponentially distributed random variables 
that characterize the duration of the labeled transitions of a CMP. In this paper we present 
weak and strong complete axiomatizations for CML and prove a series of metaproperties, 
including the finite model property and the construction of canonical models. CML char- 
acterizes stochastic bisimilarity and it supports the definition of a quantified extension of 
the satisfiability relation that measures the "compatibility" between a model and a prop- 
erty. In this context, the metaproperties allows us to prove two robustness theorems for 
the logic stating that one can perturb formulas and maintain "approximate satisfaction" . 



Introduction 

Many complex natural and man-made systems (e.g., biological, ecological, physical, social, 
financial, and computational) are modeled as stochastic processes in order to handle either 
a lack of knowledge or inherent randomness. These systems are frequently studied in inter- 
action with discrete systems, such as controllers, or with interactive environments having 
continuous behavior. This context has motivated research aiming to develop a general the- 
ory of systems able to uniformly treat discrete, continuous and hybrid reactive systems. 
Two of the central questions of this research are "when do two systems behave similarly 
up to some quantifiable observation error?" and "is there any (algorithmic) technique to 
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check whether two systems have similar behaviours?". These questions are related to the 
problems of state space reduction (collapsing a model to an equivalent reduced model) and 
discretization (reduce a continuous or hybrid system to an equivalent discrete one), which 
are cornerstones in the field of stochastic systems. 

For probabilistic systems, the concept of probabilistic bisimulation introduced by Larsen 
and Skou [LS91] is the standard concept for reasoning about probabilistic behaviours. It 
relates probabilistic systems with identical probabilistic behaviour, see [Pan09] for an ex- 
pository introduction. Labelled Markov processes are the probabilistic analogs of labelled 
transition systems with state spaces that might be continuous. The theory of probabilistic 
bisimulation has been appropriately extended to cover the case of continuous-state spaces 
and continuous distributions [DEP02J. In addition, probabilistic multimodal logics (PMLs) 
have been used to characterize the probabilistic bisimilarity [DEP02. IDP03] , 

Despite the elegant theories supporting it, the concept of bisimulation remains too strict 
for applications. In modelling, the values of the parameters (rates or probabilities) are 
often approximated and consequently, one is interested to know whether two processes that 
differ by a small amount in real-valued parameters show similar (not necessarily identical) 
behaviours. In such cases, instead of a bisimulation relation, one needs a metric concept 
to estimate the degree of similarity of two systems in terms of their behaviours. The 
metric theory for Markov processes was initiated by Desharnais et al. |DGJP04j and greatly 
developed and explored by van Breugel, Worrell and others [vBWOlt |vB+ 03l. One way to 
do this is to relax the satisfiability relation in the logic and replace it with a function that 
reports the "degree of satisfiability" between a Markov process and a logical property. This 
further induces a behavioural pseudometric on processes measuring the distance between 
processes in terms of their behavioural similarity. 

It was hoped that these metrics would provide a quantitative alternative to logic, but 
this did not happen. One reason could originate in the fact that all this "metric reason- 
ing" focused exclusively on the semantics of the logic while a syntactic counterpart did 
not develop. When we published [CLMlla] . which is the restricted version of this paper, 
there existed no attempt of understanding what a behaviour pseudometric might mean log- 
ically. We emphasized that, in the context of a completely axiomatized logic, the semantic 
distance between Markov processes implicitly induces, via Hausdorff metrics, a distance 
between probabilistic and stochastic logical properties. On this line, [CL Mlla] contains 
the open ideas of a research program that we have followed ever since. This research aims 
to understand the relation between the pseudometric space of Markov processes and the 
pseudometric space of logical formulas i.e., the relation between the measure of similarity of 
behaviours for Markov processes and the measure of provability in a corresponding stochas- 
tic/probabilistic logic. Eventually, in [LMP12b] we studied how convergence in the open 
ball topologies induced by the two pseudometrics "agree to the limit" and in [BBLM12] we 
proposed an effective on-the-fly algorithm to compute such metric for Markov chains. 

This paper provides the corner stone for our research program: We provide weak and 
strong complete axiomatizations for the most general logic that express properties of sto- 
chastic labelled Markov processes. We call it continuous Markovian logic (CML). It is simi- 
lar to PML, but developed for general continuous-time and continuous-space labelled Markov 
processes, henceforth continuous Markov processes (CMPs) [CLMlla] ICMIO} ICLMllb] . 
CML is endowed with modal operators indexed with transition labels and positive ratio- 
nals. For a label a and a positive rational r, the formula in CML expresses the fact 
that the rate of the a-transitions from the current state to the set of states satisfying (f> is at 
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least r; similarly, M®(ft states that the rate is at most r. In this respect, our logic is similar 
to the Aumann's system |Aum99bJ developed for Harsanyi type spaces [Har67j . 

In spite of their syntactic similarities, CML and PML are very different. In the prob- 
abilistic case axiomatized by Zhou in his PhD thesis [Zho07^ the two modal operators are 



dual, related by De Morgan laws such as h M^cft L^_ r -xft and h L^(ft <-)■ Mf_ r -i^, which 
express the fact that the probability of a transition from a state m to a state satisfying 
(ft and the probability of a transition from m to a state satisfying —itp sum to 1. In the 
stochastic case the two modalities are independent. Moreover, there exists no sound equiv- 
alence of type o Yg^(j> for X, Y G {L, M}, since the rate of the transitions from 
m to the set of states satisfying (ft is not related to the rate of the transitions from m to 
the set of states satisfying —xft. Hence, for CML formulas, no positive normal forms can 
be defined. Obviously, these differences are also reflected in the complete axiomatizations 
that we present both for CML and for its fragment without M"-operators. Many axioms 
of PML, such as h Lf.T or h Lf.cf) — > -iLg-xf) for r + s < 1, are not sound for CMPs. 

Another important difference between PML and CML regards their metaproperties. 
The proof of the finite model property for PML, done in [Zho07] . on which many other 
results such as decidability or weak completeness are centered, relays on the fact that in [0, 1] 
there are finitely many rationals of a given denominator. When one moves from probabilistic 
to stochastic processes, i.e., from probabilistic distributions to arbitrary distributions, this 
proof cannot be reproduced and for this reason decidability and weak completeness for CML 
remained open problems for some time. In this paper we prove the finite model property 
for CML using a nontrivial variation of Zhou's construction. This is one of the major 
contribution of this paper. 

The construction of a finite model for a consistent CML-formula is also relevant in 
the context of pseudometrics. It provides an approximation techniques to evaluate the 
quantitative extension of satisfiability relation induced by the behavioural pseudometric. 
Formally, the quantitative satisfiability is a function d : ty(A) x C{A) — > R + that associates 
to a CMP P G yS{A) and a CML formula (ft G C(A) a value d(P, (ft) G M + that measures 
the distance between P and the set of processes satisfying (ft: P \= (ft iff d(P, (ft) = 0. This 
function induces a distance on the space of logical formulas, d : C{A) x C(A) — > M + defined 
by 

d(<ft,<ft')= sup \d{P,(ft) -d{P,(ft')\. 

We observe that, in the context of a complete axiomatization, the distance d((ft, (ft') measures 
the similarity between logical formulas in terms of provability: (ft and (ft 1 are at distance in 
d if they can both be entailed from the same consistent theories. In this context we prove 
the Strong Robustness Theorem: 

d(P,(ft) <d(P, (ft') + d((ft,(ft'). 

In case that d((ft, (ft 1 ) is not computable or it is very expensive, one can use our finite model 
construction to approximate its value. Let d((ft,(ft') = max{\d(P, (ft) — d(P,(ft')\, P G f2 p [^]}, 
where fip^] is the finite model (it contains a finite set of processes) constructed for a 
consistent formula V f° r which both (ft and (ft 1 belong to the Fischer-Ladner closure of ip 
and p G N is a special parameter involved in the construction of the finite model. This 
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guarantees the Weak Robustness Theorem: 

d(P,<f>) <d(P,<f/) + d(<l>,<f/) + 2/p. 

Using this second theorem, one can evaluate d{P,4>) from the value of d(P,<j>'). Of course, 
the accuracy of this approximation depends on the similarity between eft and (j) 1 from a 
provability perspective, which influences both the distance d(4>, 4>') and the parameter p of 
the finite model construction. 

To summarize, the achievements of this paper are as follows. 

• We introduce Continuous Markovian Logic, a modal logic that expresses quantitative 
and qualitative properties of continuous Markov processes. CML is endowed with oper- 
ators that approximate the labelled transition rates of CMPs and allows us to reason on 
approximated properties. This logic characterizes the stochastic bisimulation of CMPs. 

• We present weak and strong completeness results for CML and for its fragment without 
M" operators. These are very different from the similar probabilistic cases, due to the 
structural differences between probabilistic and stochastic models; and the differences are 
reflected by the axioms. 

• We prove the finite model properties for CML and its restricted fragment. The construc- 
tion of a finite model for a consistent formula is novel in the way it exploits the Archi- 
median properties of positive rationals. We extend the construction to define canonic 
models for the two logics. 

• We define a distance between logical formulas related to the distance between a model 
and a formula proposed in the literature for probabilistic systems. The organization 
of the space of logical formulas as a pseudometric space, with a topology sensitive to 
provability, is a novelty in the field of metric semantics. This structure guarantees the 
strong robustness theorem. 

• We show that the complete axiomatization and the finite model construction can be used 
to approximate the syntactic distance between formulas. This idea opens new research 
perspectives on the direction of designing algorithms to estimate such distances within 
given errors. 

The structure of the paper. We end the introduction with a section that comprises 
some preliminary concepts and notations used in the paper. Section Q] introduces CMPs 
and their bisimulation. In Section [2] we define the logic CML and its semantics. Section [3] 
is dedicated to the weak completeness of the fragment of CML without operators and 
to the proof of the finite model property for this fragment. In Section |4] we extend the weak 
completeness proof and the construction of the finite model for consistent formulas to the 
entire logic. Section [5] extends the axiomatizations to prove the strong completeness and the 
existence of canonical models for the two logics. Section [6] introduces the metric semantics 
and the results related to metrics and bisimulation; in this section we present and discuss 
the robustness theorems. The paper also contains a conclusive section where we comment 
on the new research directions opened by this paper. 

Preliminary definitions and notations 

In this section we establish the terminology used in the paper. Most of the notation is 
standard. We also present some classic results that play an important role in the economy 
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of the paper. However, we assume that the reader is familiar with the basic terminology of 
set theory, topology and measure theory. 

Sets, Relations, Functions. For arbitrary sets A and B, 2 A denotes the powerset of A, 
A ttl B their disjoint union and [A —> B] the class of functions from A to B. 

If / : A -> B, we denote by f~ l : 2 B -> 2 A the inverse mapping of / defined, for 
arbitrary B' C B by /^(B') = {a G A /(a) G 5'}. If G 5, the fcerne/ o/ / is the set 
ker(f) = f- 1 ({0}) 

Given a set A and a relation !R C A x i, the set .A' C A is Ji-closed iff 

{o e i | 3o' G A', (a', a) G 9\} C A'. 
If E C 2 A is a set of subsets of A, then E(*R) denotes the set of 9^-closed elements of E. 

Measurable Spaces. In what follows we introduce a few concepts from measure theory 
and state a few results that are essential for our paper. For their proofs and more related 
results the reader is referred to [Bil95]. 

Definition 0.1. Let M be an arbitrary set. 

• A nonempty family of subsets II C 2 M closed under finite intersection is called a tt- system. 

• A nonempty family of subsets J- C 2 M that contains M and is closed under complement 
and finite intersection is called a field. 

• A nonempty family of subsets S C 2 M that contains and it is closed under finite 
intersection is called a semiring, if for arbitrary A, B G S such that A C B, B \ A is a 
finite union of elements in S. 

• A nonempty family of subsets E C 2 M is a a-algebra over M if it contains M and is 
closed under complement and countable union. 

If E is a cr-algebra over M, the tuple (M, E) is called a measurable space, the elements of E 
measurable sets and M is called the support-set of the space. 

If Q C 2 M is a nonempty family of subsets of M, the a-algebra generated by Q, denoted 
Q a is the smallest cr-algebra containing £1. 

Definition 0.2. A measure on a measurable space A4 = (M, E) is a countably additive 
function fj, : E — ► M + such that /x(0) = 0. We use A(M, E) to denote the set of measures 
on (M,E). 

Given a measurable space M = (M, E), we organize the class A(M, E) of measures as a 
measurable space by considering the cr-algebra 5 generated, for arbitrary S G E and r > 0, 
by the sets F(S, r) = {n G A(M, E) : /x(5) > r}. 

Definition 0.3. Given two measurable spaces (M, E) and (iV, O), a mapping / : M — > N 
is measurable if for any T G f2,,f -1 (T) G E. We use [M — > iV]] to denote the class of 
measurable mappings from (M, E) to (iV, Q). 

Now we state a few results that are fundamental in the construction of the finite and 
the canonic model for CML. 

Theorem 0.4 ([ BU95] . Theorem 10.3). Suppose that U C 2 M is a tt -system with M G II 
and [i,v are two measures on {M, IT 7 ). // fj, and v agree on all the sets in II, then they 
agree on IF 7 . 
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Theorem 0.5 ( [Bil95| . Theorem 11.3). If fx is a set function on a semiring S with values 
in [0, oo] such that /i(0) = 0, fi is finitely additive and countably subadditive, then li extends 
to a measure on S a . 

Definition 0.6. A set function ii defined on a field T is continuous from above in if for 
any decreasing sequence (j4j)j G N C T such that f] Ai = 0, lim ii(Ai) = 0. 

iei 

Theorem 0.7 ([Bil95], Example 2.10). If ft is a set function on a field J 7 such that /i(0) = 0, 
H is finitely additive and it is continuous from above in 0, then fi is countably additive on 
T. 

These previous results allow us to prove the next lemma that is the key result in our 
model constructions. 

Lemma 0.8. If T is a field, then any set function li : T — > M + that is finitely additive, 
continuous from above in and such that /x(0) = can be uniquely extended to a measure 
on T° '. 

Proof. Because J 7 is a field, Theorem 10.71 guarantees that li is countably additive on 
hence countably subadditive. It is trivial to verify that any field is a semiring. Now we 
apply Theorem 10. 5( since J- is also a semiring, and we obtain that ll extends to a measure 
on T° . The uniqueness derives from Theorem 10.41 □ 

0.1. Analytic Spaces. The analytic spaces play a central role in this paper. They are 
restrictions of general measure spaces but, however they form a very wide class. The 
analytic spaces have some remarkable properties that are needed for some of our results. 
For instance, the proof of the logical characterization of bisimulation cannot be done for 
arbitrary spaces [DEP02], and a good source for the unprovability of logical characterization 
of bisimulation for arbitrary spaces can be found in [Terll] , In what follows we only present 
the definition of Polish and analytic spaces. For a complete exposition on this topic, the 
reader is referred to |Dud89| or |Arv76] . 

Definition 0.9. A Polish space is the topological space underlying a complete, separable 
metric space; i.e. it has a countable dense subset or equivalently a countable base of open 
sets. 

Definition 0.10. An analytic space is the image of a Polish space under a continuous 
function between Polish spaces. 

1. Continuous Markov processes 

In this section we introduce the continuous-time Markov processes [CLMllaj . henceforth, 
continuous Markov processes (CMPs), which are models of stochastic systems with arbi- 
trary (possible continuous) state space and continuous-time transitions. Such systems were 
introduced for the first time in [DP03j . In this paper we use a different definition proposed 
in [CLMllal ICLMllb] . which exploits an equivalence between the definitions of Harsanyi 
type spaces [Har67l IMV04] and a coalgebraic view of labelled Markov processes [dVR99j 
described, for example, by Doberkat [Dob07]. 
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The CMPs are defined for a fixed countable set A of transition labels representing the 
types of interactions with the environment. If a G A, to is the current state of the system 
and N is a measurable set of states, the function 0(a) (m) is a measure on the state space and 
9(a)(m)(N) G M + represents the rate of an exponentially distributed random variable that 
characterizes the duration of an a-transition from to to arbitrary n G N. Indeterminacy in 
such systems is resolved by races between events executing at different rates. 

Definition 1.1 (Continuous Markov processes). Given an analytic space (M, E), where E 
is the Borel algebra generated by the topology, an A- continuous Markov kernel is a tuple 
Ai = (M, E, 9), where 9 : A -)• \M -> A(Af,E)]. M is the support set of M denoted by 
supp(Ai). If to G M, (.M,to) is an A-continuous Markov process. 

Notice that 9(a) is a measurable mapping between (M, E) and (A(M, where £ is 

the cr-algebra on A(M, E) defined in the preliminaries. This condition is equivalent to the 
conditions on the two-variable rate function used in [Pan09] to define continuous Markov 
processes. For the proof of this equivalence, see e.g. Proposition 2.9, of [DobQ7j . 

In the rest of the paper we assume that the set of transition labels A is fixed. We 
denote by Wl(A) the class of ^.-continuous Markov kernels (CMKs) and we use Ai, Aii, Ai' 
to range over Wl(A). We denote by ^(.A) the set of ^-continuous Markov processes (CMPs) 
and we use P, Pi, P' to range over ^P(A). 

The stochastic bisimulation for CMPs follows the line of Larsen and Skou's probabilis- 
tic bisimulation [LS91], adapted to continuous state-spaces by Desharnais et al. [DEP02, 
IDGJP 03], Recall that in the next definition £(9a) denotes the set of 9^-closed measurable 
sets (see preliminaries). 

Definition 1.2 (Stochastic Bisimulation). Given A4 = (M,T,,9) € 9Jl(A), a rate-bisimu- 
lation on Ai is an equivalence relation D\ C M x M such that (to, n) G 9t implies that for 
any C G E(£K) and any a £ A, 



Two processes (Ai,m) and (Ai,n) are stochastic bisimilar, written to n, if they are 
related by a rate-bisimulation relation. 

Observe that, for any Ai G 9Jt(A) there exist rate-bisimulation relations as, for instance, 
is the identity relation on Ai; the stochastic bisimilarity is the largest rate-bisimulation. 

Definition 1.3 (Disjoint union of Markov kernels). The disjoint union of Ai = (M,Y,,9) 
and Ai' = (M', 9') in M(A) is given by Ai" = (M" , S", 9") such that M" = M fcfcl M' , 
E" is generated by E liJ E' and for any a G A, N G E and N' G E', 



The disjoint union of Ai and Ai' is denoted by Ai l±J Ai'. 

Notice that Ai W A^' G 9JT(^4). If to G M and to' G M', we say that (Al,m) and 
(Ai',m') are bisimilar written (A^,to) ~ (Ai',m') whenever to ~xi±)X' m ' ■ 



9(a)(m)(C) = 9{a){n)(C). 
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2. Continuous Markovian Logics 

In this section we introduce a class of modal logics, henceforth, the continuous Markovian 
logics (CMLs) with semantics defined in terms of CMPs. In addition to the Boolean oper- 
ators, these logics are endowed with stochastic modal operators that evaluate, from below 
and from above, the rates of the transitions of a CMP. 

For a £ A and r € Q+, L^cj) is satisfied by (A4,m) € ty(A) whenever the rate of the 
a-transition from m to the class of the states satisfying <p is at least r; symmetrically, M^(f> 
is satisfied when this rate is at most r. CMLs extends the probabilistic logics [Aum99b, 
ILS91} IHMOU IZho07l IFH94] to stochastic domains. The structural similarities between 
the probabilistic and the stochastic models are not preserved when we consider the logic. 
Because we focus on general measures instead of probabilistic measures in the definition 
of the transition systems, many of the axioms of probabilistic logics are not sound for 
stochastic semantics. This is the case, for instance, with h L"T or h L®(j) — > -iL"-k/> for 
r + s < 1 which are proposed in [HM01, Zho07j. Moreover, while in probabilistic settings 
the operators L° and M® are dual, satisfying the De Morgan laws h M^cf) o L\_ r —xf) and 
h L^<p O Mf_ r ^(fr, they became independent in stochastic semantics. For this reason, in 
the next sections we study two CML logics with complete axiomatizations, C{A) involving 
only the stochastic operators of type L" and C{A) + that contains both L" and . 

In what follows we use the same set A of labels used with CMPs. 

Definition 2.1 (Syntax). Given a countable set A, the formulas of C(A) and C + {A) 
respectively are introduced by the following grammars, for arbitrary a € A and r € Q + . 

C(A) : <f> := T | -.0 | 0A</> | L°(f), 

C + (A) : 4> := T | ^<j) | <j) A <f> | L%<f> | M r a 0. 

In addition, we assume all the Boolean operators, including _L = -iT, as well as the 
derived operator E®(j) = L^cfr A M^cp. 

The semantics of C{A) and C + (A), called in this paper Markovian semantics, are 
defined by the satisfiability relation for arbitrary (M,m) G ^3(^4) with M = (M, € 
m(A), by: 

Ai,m \= T always, 

Ai, m \= -Hp iff it is not the case that m (= (j), 
M,m \= 4> A "0 iff M,m \= <j> and M,m \= ip, 
M,m\=L^m6(a)(m)(M M )>r, 
M,m^ M«0 iff 6{a){m)(l<j>} M ) < r, 
where {4>}m = {m e M\M,m \= (f>}. 

When it is not the case that A4,m \= <f>, we write Ad, m ^ 4>. 
From here we get the obvious rules for the derived operators: 
A4,m Y= -L always, 
M,m \= E?<f> iff 6(a)(m)(l<f)} M ) = r. 

Notice that E^cj) characterizes the process that can do an a-transition with exactly the 
rate r to the set of processes characterized by 4>. In the stochastic case L", M" and E£ are 
mutually independent. We chose not to study a Markovian logic that involves only the E£ 
operators because in many applications we do not know the exact rates of the transitions 
and it is more useful to work with approximations such as M" or L". 
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Observe that the semantics of L®4> and M®(fr are well defined only if \<P\m is measurable. 
This is guaranteed by the fact that 0(a) is a measurable mapping between (M, E) and 
(A(M, E), 5), as shown in the next lemma. 

Lemma 2.2. For any <j> G C + (A) and any M = (M,E,6>) G 931(A), \4>\m G E. 

Proof. Induction on 0: the Boolean cases are trivial since [T]^ = M is measurable, and 
the measurability is closed with respect to finite intersections and complement. 

The case <fc = L®tp: the inductive hypothesis guarantees that [V'Jx G E, hence, 
{/i € A(M, S)| / u([V ; ]a4) > r } is measurable in A(M, E). Because 6(a) is a measurable 
mapping, we obtain that {Lty\ M = (9(a))- 1 ({fi G A(M,S)[^([^]x) > r}) is measurable. 

Similarly it can be proved for = Mfiip. □ 

Corollary 2.3. For any cf> G C(A) and any M = (M,E,0) G SDT(«4), Mx G E. 

As usually, we say that a formula eft is satisfiable if there exists .M = (M, E, 0) G 93T(*4) 
and m G M such that A4, m |= 0. is waZid, denoted by |= <j>, if ->0 is not satisfiable. 



In this section we present a Hilbert-style axiomatization for C(A) and we prove its soundness 
and weak completeness for the Markovian semantics. The axioms and rules, collected in 
Table [1] are given for propositional variables (f),ifi G £(A), for arbitrary a G A and s, r G Q + . 
In addition we also assume the axiomatization of the classic propositional logic. 



Axiom (Al) guarantees that the rate of any transition is at least and encodes the fact 
that the measure of any set cannot be negative. (A2) states that if a rate is at least r + s 
then it is at least r. (A3) and (A4) encode the additive properties of measures for disjoint 
sets: [0 A ipj and [</> A are disjoint sets of processes such that \4> A tpj U \4> A -iipj = [0]. 
The rule (Rl) establishes the monotonicity of L". In this axiomatic system we have two 
infinitary rules, (R2) and (R3). (R2) reflects the Archimedian property of rationals: if the 
rate of a transition from a state to a given set of states is at least r for any r < s, then it 
is at least s. (R3) eliminates the possibility of having transitions at infinite rates. 

In Table [2] below we present the similar axiomatization that Zhou proposes in [Zho07 
for probabilistic logic and Harsanyi type spaces. Notice the main differences between the 
two systems: the axioms (B2), (B3) and (B4) of probabilistic logic are not sound for the 
Markovian semantics and this changes the entire structure of the provability relation. There 
are also important differences between the axioms (A3) and (A4) on one hand and (B4), 
(B5) on the other hand. In the probabilistic case there exist De Morgan relations between 



3. Weak Completeness for C(A) 



(Al) 
(A2) 
(A3) 
(A4) 
(Rl) 
(R2) 
(R3) 



h L^ +s 4> -> L a r 4> 

h L*((f) Aip) A L a s (<f) A -nj)) -> L a r+S (f) 
h ^(<j) Aip) A ^L a s ((f) A -up) -)■ ^L% s (f) 
If h 4> -)■ ip then h Lr4> -»■ Lfy 
{L a r <f> \r<s}hL a s (j) 
{L a r <t> \r>s}h± 



Table 1: The axiomatic system of C(A) 
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the two modal operators stated by (B3). We will see in the next section that a similar 
relation is impossible in the stochastic case. 

(Bl): hLg0 

(B2): h L"T 

(B3): hL^HMf.^ 

(B4): h L°cp — >■ -<Lg-i(j), r + s > 1 

(B5): h L£(0 A V) A L£(0 A -.^) -> r + s < 1 

(B6): h -.L?(0 Aip) A ^L a s (<f> A -.^) -> r + s < 1 

(51) : If h -»• V then h L a r <\> -> 

(52) : {-.M°<£ | r < s} h 

Table 2: The axiomatic system of PML 

As usual, we say that a formula <fi is provable, denoted by h 0, if it can be proved from 
the given axioms and rules. We say that <p is consistent, if (p — >■ _L is not provable. Given a 
set $ of formulas, we say that $ proves $ h 0, if from the formulas of $ and the axioms 
one can prove (p. $ is consistent if it is not the case that <I> h _L; $ is finite- consistent if any 
finite subset of it is consistent. For a sublanguage C C £(.A), we say that is £-maximal 
if no formula from C can be added to <I? without making it inconsistent; <3? is C-maximally 
consistent if <1> is consistent and £-maximal. 

Theorem 3.1 (Soundness). The axiomatic system of C(A) is sound for the Markovian 
semantics, i.e., for any (p € C{A), if\~<p then \= <p. 

Proof. As usual, the soundness proof consists in proving that each axiom is sound and that 
the rules preserve soundness. This is sufficient to guarantee that we can only derive sound 
consequences from sound hypothesis. In what follows we consider an arbitrary (M,m) € 
<#(A) with M = (M,£,0). 

(Al): We have |= L^cp since (a) (m) ([[</>]) > for any <j>. 

(A2): We have |= L^ +S (p —> L®(p since M,m \= L® +S <p is equivalent to (a) (m) ([</>]) > 
r + s implying 0(a)(m)([0]) > r, i.e., M,m \= L^<p. 

(A3): Suppose that M,m \= L^.(<p A ip) A L a s (4> A -*ip). Then, 9{a){m){{(p Aip}) > r 
and 9{a){m){\(p A -up}) > s. But since \(p A ip} and \(p A -up} are disjoint sets of processes 
such that {<p A Vfl U {<P A = (<Pl e(a)(m)m) = 0(a)(m)([0 A ip}) + 0(a)(m)([0 A ^]). 
Hence, 0(a) (M) ([</>]) > r + s, i.e., A4, m (= L° +S (p. 

(A4): Suppose that A4, m \= ^L a r (<p A ip) A ^L a s {<p A ->ip). Then, 6{a){m){\(p A ip}) < r 
and 9{a){m){\(p A -up}) < s. But since \(p A ip} and \(p A ->ip} are disjoint sets of processes 
such that {<p A Vfl U U A ^} = 1<P}, 0(a)(m)(M) = 0(a)(m)([0 A ip}) + 0(a)(m)([0 A ^D- 
Hence, 0(a) (M) ([</>]) < r + s, i.e., A4,m (= ~^L% s (p. 

(Rl): If |= -> V, then [0] C M- Suppose that M,m \= L a r <p. Then, 0(a) (m) ([<£]) > 
r. Since [0] C M, we derive that 0(a)(m)([0]) < 0(a) (m)([V»l), hence, 0(a)(m)([i>]) > r 
implying A4,m \= L a s ip. 

(R2): Suppose that for all r < s, M,m \= L®(p, i.e., for all r < s, 0(a) (m) ([</>]) > r. 
Using the Archimedean property of rationals, we derive that (a) (m) ([[</>]) > s. Hence, 
M,m \= Lg(p. 

(R3): Suppose that for all r > s, M,m \= L®(p, i.e., for all r > s, (a) (m) ([</>]) > r. 
But then, (a) (m) ([</>]) = oo - impossible since [<^>] is measurable and the measure is always 
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finite. Hence, there exists no process(.M, m) with this property, i.e., {L%(f> \ r > s} is 
inconsistent. □ 

In the rest of this section we prove the weak completeness of the axiomatic system for 
the Markovian semantics, i.e., that any valid formula can be proved from the given axioms 
and rules. In order to do this, we prove the finite model property for our logic stating that 
any consistent £(„4.)-formula has a finite model. 

To prove this, we will construct a model (A4^,T) G ^P(v4) for an arbitrary consistent 
formula ip G C(A), where supp(M^) is a finite set of £(^4)-consistent sets of formulas. As 
usual with the filtration method, the key result is the Truth Lemma stating that tp G T iff 
A4^,T \= tp. A similar construction has been proposed in |Zho07| for probabilistic logic. 
However, for the probabilistic case the proof relies on the fact that there exists a finite set of 
rationals of a fixed denominator within [0, 1]. Since in the stochastic case the rates range on 
[0, oo), this property cannot be used and instead we will have to handle a more complicated 
construction. 



Notations. Before proceeding with the construction, we fix some notations. 

For n G N, n ^ 0, let Q n = : p G N}. If S C Q is finite, the granularity of S, gr(S), 
is the least common denominator of the elements of S. 

Consider an arbitrary formula <p G C(A) and let R C Q + be the set of all r G Q + such 
that r is the index of an operator present in the syntax of <p. 

• The granularity of <p G C, denoted by gr(cj>) is defined by gr(cp) = gr(R) 

• The upper bound of <f>, denoted by max((p) is defined by max(<p) = max(R). 

• The modal depth of cp, denoted by md{4>), is defined inductively by 

'0, if0 = T 

md (S)= J mc W' if = 

yY> j max{md(ip),md( , ip')}, if <fi = ip A ip' 
md{ip) + 1, if (j) = L a r i\> 

• The actions of (ft is the set act((j)) C A of indexes a G A of the operators present in 
the syntax of (p. 

For arbitrary n G N and A C A, let C n {A) be the sublanguage of C(A) that uses only modal 
operators L° with r G Q n and a £ A. 

For A C C(A), let [A]„ = A U {<p G C n (A) : A h 0}. 

The next lemma has a central role in the finite model construction. 

Lemma 3.2. If A C £(^4) is a finite consistent set of formulas, then for any 4> G >C(^4) and 

ae i, 

(1) there exists r G Q + suc/i t/ioi A U {^L^cp} is consistent; 

(2) i/iere exists sup{r G Q + | A h L"0}. 

Proo/. 

(1) Suppose that there exists no r G Q + such that A U {^L^cp} is consistent. Then, A h 
{L®(p | for any r > 0}. Using (R3), this implies the inconsistency of A - contradiction. 

(2) Suppose that sup{r G Q + | A h L^(p} does not exists. Then, A h {L^<p \ for any r > 0} 
and, again, we derive from (R3) the inconsistence of A - contradiction. □ 
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The construction of a finite model for a consistent £(„4)-formula. 

We have now the necessary prerequisite to describe our construction. Consider a con- 
sistent formula tp G C(A) with gr(ip) = n and act(ip) = A. Let 

C[ip] = {<t> G C n (A) | max(cp) < max(ip),md((p) < md(ip)}. 

In this construction, C[ip] plays a similar role to the Fischer-Ladner closure in the 
filtration method: we construct a CMK M.^ G 9Jl(A) with supp{M.^) being the set of 
C[ip] -maximally consistent sets of formula^. And for this model, which is finite since C[ip] 
is finite modulo propositional equivalence, we will prove the Truth Lemma: 

for any (p G C[ip], (p G T iff M^,T \= (p. 

To compute our task, we need to define, for each (p G C[ip], each a G A and each 
r G supp(M^j), the value of (a) (r) ([<?!>]) and eventually to prove that this function satisfies 
the requirements of a transition function of a CMP. One of the necessary conditions for 
9 (a) (r) (J_</>J) to satisfy the Truth Lemma is that 

max{r G Q n | L%4> G T} < 6 (a) (T) ({(/)}) < min{r G Q n | G T}. 

Let £l[ip] be the set of C[tp] -maximally consistent sets of formulas. £l[ip] is finite and any 
A G fi[^>] contains finitely many formulas modulo propositional equivalence; for the rest of 
this construction we only count formulas modulo propositional equivalence and we use f\ A 
to denote the conjunction of the nontrivial formulas of A. 

Ideally would be to construct M.^ with supp{M.^) = il[ip], but this cannot be done 
because for some A G {r G Q n | -<L%4> G A} might be empty. Indeed, while due to 

(Al) we know that {r G Q n | L^<p G A} ^ 0, the axiomatic system did not provide us with 
a proof for {r G Q n \ ~^L^(j) G A} ^ 0. In fact, such a situation is possible and if it happens, 
it prevents us to prove the Truth Lemma. A solution could be to convey that min% = oo. 
We chose not to do that because we want to have an effective construction that will also 
involve completing the sets A with formulas of type ^L%<p when such formulas are absent 
from A - this is important latter when we will consider the robustness theorems. 

In what follows we construct for each A G ^l[ip] an extension A + ^ [A] n , possibly 
containing some formulas from C(A) \ C[ip], such that for any <\> G A and any a G A, there 
exists ^Lr4> G A+. 

We fix an arbitrary A G ^l[ip] and let {4>i, 4>i] C A be its set of formulas (modulo 
propositional equivalence). Observe that {<f>i, <pi\ h A. 

The construction step [tpi versus A]: 
From Lemma 13.21 we know that there exists r G Q + such that {4>\, <pi\ U {-iL"0i} is 
consistent. Using the converse of (A2), we obtain that there exists r G Q n such that 
{</>!,..., (pi} U {-iL"0i} is consistent. This implies that there exists r G Q n such that 
[A] n U {— \L^(p\) is consistent. From Lemma 13.21 we know that there exists sup{r G Q + | 
{(pi, (pi} h L^(pi}, implying that there exists max{s G Q n \ L a s (p\ G [A] n }. Hence, the 
following values are well defined. 

yl = min{s G Q n | [A] n U {^L a s (pi} is consistent}, 

x\ = max{s G Q„ | L*fa G [A] n }. 
About these values we can prove the following lemma. 



In fact, for the economy of the construction, we need to work with slightly larger sets that include the 
£[V']-niaximally consistent sets. 
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Lemma 3.3. There exists r G Q \ Q n such that xf < r < yf and {-iL%<pi} U [A] n is 
consistent. 

Proof. Suppose otherwise, then h f\ A — > L"^>i for all r < yf and applying (R2) we get 
h /\ A — )■ Lya4>\. This contradicts the consistency of [A] n U {-iL^a^i}. Obviously, r Q n . □ 

With these results in hand, we return to our construction. Let n\ = gran{l/n,r}, 
where r G Q\Q n is (one of) the value(s) mentioned in Lemma [3.31 Let sf = min{s G Q ni | 

[A] ni U {-^L a s (f)i} is consistent}, A? = A U {-.LJ^i} and Ai = (J A". 



In this way we have identified a multiple n\ G N of n and constructed a consistent set 
Ai 3 A with the property that for any a G A, {r G Q ni | L^4>1 £ Ai} and {r G Q ni | 
^L^(pi € Ai} are both nonempty. 

The construction step [<p2 versus Ai]: 
We repeat the construction done before, this time for <p2 and Ai and we define 



As before, there exists r G <Q> \ Q ni such that x\ < r < y% and {-iL"(fo} U [Ai] ni is 
consistent. Let n-z = gran{l/ni, r}. Let S2 = min{s G Q n2 | [A] n2 U^L^fo} is consistent}, 



As a result of this second step of the construction, we have identified a multiple 712 € PJ 
of n\ (hence, of n) and constructed a consistent set A2 D Ai 3 A with the property that 
for any a G A, {r G Q„ 2 | L"^>2 G A2} and {r € Q n2 | -*L®<])2 G A2} are both nonempty. 
Moreover, A2 inherited from Ai the property that for any a G A, {r G Q n2 | L"0i G A2} 
and {r G Q n2 | ->L^\ G A2} are nonempty, since Ai C A2 and n2 is a multiple of ri\. 

The complete construction: 
We repeat the construction step for [fa versus A2],. .,[fa versus Aj_i] and in a finite number 
of steps we will eventually obtain A C Ai C ... C Aj, where Aj is a consistent set containing 
a finite set of nontrivial formulas. 

As a result of this entire construction, we have identified a multiple rii G N of n and 
constructed a consistent set Aj D A with the property that for any a G A and any nontrivial 
formula <fi G A, {r G Q Ui | L"</> G Aj} and {r G Q nt \ -iL%(f) G Aj} are nonempty. Using Rule 
(Rl) we can extend this result and claim that for any a G A and any <fi G A, {r G Q n; | 

G Aj} and {r G Q ni | -^L^<f> G Aj} are nonempty. Hereafter, we use n\ to denote rn. 

We repeat the construction for all A G Q[ip]. Let p = gran{l/n\ : A G 0[^]}, conse- 
quently p is a multiple of n\. Let A + = [Ai\ p and fi -1- ^] = {A + : A G 

Remark 3.4. Any consistent formula <j) G C[4>] is an element of a set A + G $7 + [?/>]. For 
each A G each G A and each a £ A, there exist s,t E Q p , s < t, such that 

Lg(f>,^L1<j) G A + . Moreover, for any A + there exists a formula p such that G A + iff 
\- p (j); p is, for instance, the conjunction of f\ A and all the extra formulas added to A 
during our construction - the result is however a finite conjunction. 

Let Q p be the set of £ p (j4)-maximally consistent sets of formulas. We fix an injective 
function / : Q + [tp] — > Q p such that for any A + G fi+fy'], A + C /(A + ). The existence of this 
function is guaranteed by the Lindembaum's Lemma. We denote by = f(£l + [ip]). For 

0E^],letM = {r€fip[V]:^€r}. 



2/2 = min{s G Q ni | [Ai] ni U {^L^fa} is consistent} 
xl = max{s G Q m | L> 2 G [Ai]„J. 
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With this construction we have accomplished the first step of the finite model con- 
struction: fipfV'], which is a set of £ p (j4)-maximally consistent sets, will be the support of 
M^. Observe that since £L p [ip] is finite, (U p [ip],2 n P^) is an analytic space. It remains to 
define the transition function 9. The challenge here consists in the fact that we need to 
define 9 such that for any a G A, 9(a) is a measurable function between (f2 p [^], 2^ p ^l) and 
A(n p [if)],2 n rW) and for any T G n p [ip], (9(a) (r) is a measure on (n p [ip], 2 Up W ). Moreover, 
the model will have to eventually satisfy the Truth Lemma. 

Lemma 3.5. 

(1) is finite. 

(2) 2 n M = {[<£] : G 

(3) For any fa, G Cty), h 0i -»■ </» 2 # C [0 2 ]. 

(4) For any r € </> G and a £ A there exist 

x = max{r G Q p | L®(f) G T} and y = min{r G Q p | ->L°(f> G T}. 
Moreover, y = x + 

Proof. 1 and 2 are trivial consequences of the construction and 3 is a classical result about 
maximally consistent sets (ultrafilters of Boolean algebras). 

4. If L%4>^L a y 4> G T, then x ^ y. If x > y, L%4> G T entails (Axiom (A2)) L£</> G T, 
contradicting the consistency of T. If x + 1/p < y, then L® +1 ,(f) G" T, i.e. -, -^ +1 / p </ ) G T 
implying that x + 1/p > y - contradiction. □ 

The previous Lemma is a good indicator for where the values of 9(a)(T) ([[</>]) should 
be placed in intervals of granularity p, but this is not enough to guarantee the additivity of 
9(a) (r). For this, we need to be more precise. 

Let be the set of £(*4)-maximally consistent sets of formulas. As before, we fix an 
injective function g : Q p — >• such that for any T G f2 p , T C g(T); we denote p(r) by T°°. 

Lemma 3.6. For any T G fi p 4> £ t-MA an ^ o, (z A, there exists 

z = sup{r G Q | L*<j> G T 00 } = m/{r G Q | G T 00 } andx<z <y, 

where x and y are the values defined in Lemma \3.b\ 



Proof. Let x°° = sup{r G Q | L^<p G r°°} and y°° = inf{r G Q | ^L a r § G T°°}. 

Suppose that x°° < y°°. Then there exists r G Q such that x°° < r < y°°. From the 
definition of x°° and y°° we obtain —>L^(j), L%4> G T°° - impossible since T°° is consistent. 

Suppose that x°° > y°°. Then there exists r G Q such that x°° > r > y°°. As r°° is 
maximally consistent we have either G T°° or —>L^(j) G r°°. The first case contradicts 
the definition of x°° while the second the definition of y°°. 

Hence, x < z < y. If z = y, then ^L^<f> G T from the definition of y. Moreover, since 
z = sup{r G Q | Lf,(p G r°°}, there exists a sequence (.Z£;)fc6N G Q + such that lim z^ = z 

k— >oo 

and L^ ft </> G T°°. Applying (A2), we obtain that for any z' < z, L a z ,<j) G T°°. Now (R2) 
proves that L^(f> G T°°. Consequently, we proved that —iL%<f), L®(f) G T°° which contradicts 
the consistency of T°° . fj 
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In what follows we denote the value z defined in Lemma [3^61 by aK. Now we are ready 
to define M.^. 

Let 9^ : A -> [Sl p [ip] ->• A(O p [V>], 2 Q p^)} be defined, for arbitrary a G A, T G fJ p [V] and 
e by 

^(o)(T)(M)=aJ. 

Lemma 3.7. Wzf/i i/ie previous notation, for arbitrary a G »4, T € ^[V 7 ] anc ^ S jC^]) 

fl(a)(r)eA(n P M,2^M). 

Proof. We prove that the function 9^(a)(T) : 2 fip ^ — >• M + is well defined and a measure on 

Suppose that for 4>\-,4>2 G jC[^>] we have [0i] = [^l- Then, from Lemma [331 I - </>i ^ 02 
and h L%<f>\ O L"0 2 . Hence, = a^ 2 proving that 6^(a)(r) is well defined. 

Now we prove that 0^,(a)(r) is a measure. For this we use Lemma l0.8l and we relay on 
the fact that {[[0]] \ <f) £ £[ip]} is & finite field. Lemma 10.81 guarantees that it is sufficient 
to prove that 0^(a)(T)(0) = and that 9^(a)(T) is finitely additive, since the continuity 
from above in for a finite field derives from the monotonicity guaranteed by the finite 
additivity. 

For showing 0^,(a)(r)(0) = 0, we show that for any r > 0, I iL"_L. This is sufficient, 

as (Al) guarantees that h Lq_L and [JL] = 0. Suppose that there exists r > such 
that L£_L is consistent. Let e G (0,r)flQ. Then (A2) gives h L£_L ->• L^_L. Hence, 
h L£_L -»• (L«(± A _L) A L»(± A -iJL)) and applying (A3), h L£_L -> L^ +e _L. Repeating this 
argument, we can prove that h L"J_ — > for any s and (R3) proves the inconsistency of 
L*-L. 

We show now that if A, S G 2 n pM with A n S = 0, then 0^(a)(T)(A) + ^(o)(T)(B) = 
^(a)(r)(Au5). Using Lemma l331 2, we can assume that A = [0i], £> = |0 2 ] with (f>i,<p2 G 
£[V>] and h 0i ->■ -ufo. Let a?i = ^(o)(r)(A), x 2 = ^(o)(T)(B) and x = 0^(a)(T)(A U B). 
We prove that xi + x 2 = x. 

Suppose that x\ + x 2 < x. Then, there exist ei,e 2 G Q + such that x' x + x' 2 < x, where 
x^ = Xj + for i = 1,2. From the definition of Xj, -iL a ,0j G r°°. Further, using (A4), we 

i 

obtain -iL a , , ., (6% V 2 ) G r°°, implying that x\ + x'n > x - contradiction. 

Suppose that x\ + x 2 > x. Then, there exist ei, e 2 G Q + such that x'[ + x 2 ' > x, where 
x'l = Xi — €i for i = 1,2. But the definition of Xj implies that L®„<f>i G r°°. Further, (A3) 

gives L"„ +a ,„(0i V 4>2) G r°°, i.e. x'/ + x 2 ' < x - contradiction. 

Since the sigma-algebra 2^ p ^ is finite, the previous results are sufficient to prove that 
indeed 0(a) (T) G A(fi p [^], 2^M). □ 

Because the space 2 fip ^) has a finite support, the previous lemma already proves 

that our construction is a CMP. 

Theorem 3.8. With the previous notations, M^> = (0, p [ij;],2 u P^,9^) G Wt(A). 

Remark 3.9. Before proceeding with the Truth Lemma, notice that the previous construc- 
tion is parametric in p and that the choice of p is not unique. It has however a lower bound: 
p is a multiple of n, which is the granularity of ip. We do not focus here on algorithms for 
computing this parameter, but in [FHM90] the reader can find an algorithm for computing 
a similar parameter. Later this parameter will play an essential role in the robustness the- 
orems and for this reason we introduce the following notation: if -0 is a consistent formula 
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and M$ = 2 n "M, 0$) G Wl(A) is (one of) its finite model(s), then we call p the 

parameter of M.^ denoted by par{M.fa). 

Lemma 3.10 (Truth Lemma). If (ft € £[ip], then [M^,T \= <f> iff <f> eT\. 

Proof. Induction on the structure of (ft. 

The case (ft = T: We have always M^,T \= T and T G T since T is £[tft] -maximally 
consistent. 

The case (p = fa A fa: M^,T (= fa A fa iff [for each i = 1,2, M^,T \= fa]. Using 
the inductive hypothesis, this is equivalent to fa, fa G T and since fa A fa G it is 

equivalent to fa A 02 G F. 

The case = ->p: A4^,T \= ->p is equivalent to M^,F \fc p which, applying the 
inductive hypothesis, is equivalent to p G" T. Since p G £[ip] and T is C[tp] -maximally 
consistent, this is equivalent to -ip G Y. 

The case (ft = L'p.fa: (=>) Suppose that M^,T \= (ft and (ft ^T. Hence ^<ft G T. Let 
y = min{r G Q p | ^L a r <ft' G T}. Then, from ^L%fa G T, we obtain r > y. But Af^,T |= L"<^' 
is equivalent with 9^ (a) (T) ([</>']) > r, i.e. aR, > r. On the other hand, from the Rule (R2), 
aF^, < y - contradiction. 

(<=) If L a r fa G r, then r < a\ and r < 0^(a)(T)(M). Hence, H W □ 

The Truth Lemma proves the finite model property for our logic. 

Theorem 3.11 (Finite model property). For any £ (A) -consistent formula (ft, there exists 
M G yJl(A) with finite support of cardinality bound by the structure of (ft, and there exists 
m G supp(M) such that A4,m \= (ft. 

Proof. The result derives from the Truth Lemma, since the consistency of ip G £[ip] guar- 
antees that there exists a £ [ip] -maximally consistent set T G f2 p [V>] such that ip G T. But 
then, from the truth lemma, Ai^,T \= ip. □ 

The finite model property allows us to prove the completeness of the axiomatic system. 

Theorem 3.12 (Weak Completeness). The axiomatic system of £{A) is weak- complete 
with respect to the Markovian semantics, i.e. if \= ip, then h ip. 

Proof. We have that [|= ip implies h ip] is equivalent with [1/ ip implies y= ift], that is 
equivalent with [the consistency of -rip implies the existence of a model (M,m) G *$(»4.) f° r 
-up] and this is guaranteed by the finite model property. □ 

4. Weak Completeness for £ + {A) 

In this section we extend the work to £ + (A) . In Table [3] we present a Hilbert-style axiom- 
atization for £ + (A). 

Notice the differences between these axioms and the axioms in Table [T] and Table [21 
First of all, Axiom (A2) has to be enforced, in the stochastic case, and it takes the form 
of the axioms (C2) and (C3). In the probabilistic case, there exist De Morgen dualities 
between the two modal operators encoded by the rules (B3) and (B4); these two are not 
sound for the stochastic models. Axiom (A3) has been also enforced by (C5). In addition, 
we have an extra Archimedean rule for M". 

The concepts of consistency, finite- consistent set, maximal and maximally- consistent 
sets are now used in the context of the new provability relation introduced in Table O 
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(CI) 


\-L%cj> 




(C2) 


^ ^r+s 


(j) ->M?<j>, s>0 


(C3) 




p -»■ M r > 


(C4) 


h -i-L" 




(C5) 




l (0 A V) A -M s a (0 A -.^) -»■ -M r a +S 


(Tl) 


If h 


-> ip then h ->• L$ip 


(T2) 




r < s} h 


(T3) 




| r > s} h M s a 


(T4) 


{^1 


r > s} h _L 



Table 3: The axiomatic system of C + {A) 



We prove below that all the theorems of C(A) are also theorems of C + (A) and we state 
some theorems of C + (A) that are central for the weak completeness proof of C + {A) . 

Lemma 4.1. 

(1) h M?4> -> -L« +s ; a > 0, 

(2) h ^kf r a -»• L?0, 

(3) h L« +s -> L?0, 

(4) h M r a -> M« + >, 

(5) h L»(0 A V) A A -V) ->■ K+s& 

(6) h M r a (0 A ^) A M»(0 A -.^0 -> M r+>> 

(7) // h -»• V, «ien h M r > -> M r a </>. 

Proof. (1) and (2) are the converse of (C2) and (C3) respectively. 

(3). If s = we have a tautology. Otherwise, using (C2) we have h L^ +S (f) — >■ -iM®0 and 
using (2) we obtain h L" +s —■ L a r <j). (4) can be proved similarly. 
(5). Consider an arbitrary e > 0. Using (C2) we obtain 

h L?(0 A V) A L«(0 A ^) -> -M r % /2 (0 A 0) A -M»_ £/2 (0 A 

Now if we apply (C5), we get h L"(</> A -0) A L"(</> A -^) — ► ^M^ +s _ £ 4> and applying (2), 
h L"(0 A 0) A L"(</> A -1-0) — >■ L" +s _ £ 0. Since this result is true for any e > 0, applying (T2) 
we get the result. Similarly can be proved (6). 

(7). Let e > 0. Using (Tl), h ->■ V implies h L" +e ->■ L" +e implying I 'L a r+e ^ ->■ 

-^L? +£ <p. Applying (C3), h ^L% s ^ ->• M r a +£ 0. Applying (1) and (4), we get h M^Y> -> 
M^ +s 4> and since this is true for any e > 0, (T3) proves h M®^> — > M°0. □ 

Theorem 4.2 (Soundness). XTie axiomatic system of C + {A) is sound for the Markovian 
semantics, i.e., for any (f> € C + (A), if\~4> then \= <p. 

Proof. The proof is similar to the proof of soundness for C(A) without major differences. 
Here we only prove the soundness of (C3) and (T3). Consider an arbitrary CMP (M,m) € 
<#(A) with M = (M,£,0). 

(C3): Suppose that M,m^ ^L a r (p. Then, 0(a)(m)([0]) < r, hence, 0(a)(m)([0]) < r 
that is equivalent to M,m \= M®cf). 

(T3): Suppose that for all r > s, M,m \= M?4>, i.e., for all r > s, 6> (a) (m) ([</>]]) < r. 
Using the Archimedean property of rationals, we derive that # (a) (m) ([[</>]) < s. Hence, 
M,m \= M°(f>. □ 
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In what follows, we prove the weak-completeness via the finite model property, following 
a similar construction as for C{A). Due to the similarity between the two constructions, in 
what follows we only present the arguments and prove the results that differ from the case 
oiC(A). 

The notations introduced in the previous section need as well to be adapted to the 
signature of C + (A). 

Consider an arbitrary formula cp G C + (A) and let R C Q + be the set of r G Q + such 
that r is the index of an operator of type L° or M" present in the syntax of (p. 

• The granularity of <p> G C, denoted by gr(<p) is defined by gr{(p) = gr(R) 

• The upper bound of (f), denoted by max((p) is defined by max(<p) = max(R). 

• The modal depth of <f>, denoted by md((p), is defined inductively by 

'0 ii<p = T 

md U)= J md ^ if = 

I max{md{ip),md{ip')} if cp = ip A ip 

md(tp) + 1 if cp = L^ip or <p = M?ip 

• The actions of (p is the set act(cp) Q A of indexes a G A of the operators of type or 
M" present in the syntax of cp. 

In the rest of this section, for arbitrary n G N and A C. A, let C^(A) be the sublanguage 
of C + {A) that uses only modal operators and M" with r G Q ra and a G A 
For A C C+(A), let [A] n = A U {0 G £+pi) : A h <f>}. 

The construction of a finite model for a consistent £ + („4)-formula. 

Consider a consistent formula ip G C + {A) with gr(ip) = n and act(ip) = A. We define 

= {cp G £^"(j4) I max{4>) < max(tp),md((p) < md(tp)}. 

Let £l[ip] be the set of all £ + [^-maximally consistent sets of formulas. 

Consider an arbitrary A G £l[ip]; we construct, as before, an extension A^ 3 [A] n , 
possibly containing some formulas from C + (A) \ £ + [ip], such that for any cp G A and any 
a G A, there exists -^L^cp G A + . This construction is done exactly as for £(A). Observe 
that in this case, due to (C2) and (C3), there exists s G Q + such that A + 3 M®cp, and 
if max{r G Q + [ L^cp} > 0, there also exists s' G Q + such that —>M£,(p. We can, in fact, 
prove the following extension of Lemma 13.51 (we only state the case similar to the case (4) 
in Lemma 13.51 since the cases (l)-(3) remain true with identical proofs). 

Lemma 4.3. For any T G fi p [V'L ^ vP\ an d a £ A there exist 

x = max{r G Q p | L®cp G T} and y = min{r G Q p \ ->L%4> G T}, 
v = max{r G Q p | ^Af r > G T} and w = min{r G % \ M?cp G T}. 
Moreover, y = x + 1/p and w = v + 1/p. 

Similarly to Lemma 13.61 for C + (A) one can prove the following lemma. 
Lemma 4.4. For any T € Q p [ip], <p G and a G A, there exists 

z = sup{r G Q | L a r <P G T 00 } = inf{r G Q | G T 00 } 

= sup{r G Q | -Af r > G T 00 } = m/{r G Q | M?cp G T 00 }. 
Moreover, x < z < y and v < z < w, where x, y, v, w are the values defined in Lemma \4.3\ 
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As before, we denote this z by and we proceed with the definition of the model M.^. 
The next theorem is the correspondent of Theorem 13.81 and its proof is similar to the proof 
of Lemma 13.71 

Theorem 4.5. If 9^ : A ^ [£lp[ip] -> A(fi p [V>], 2^^)] is defined for arbitrary a G A, 
r G fi,fo&] and G £+ft/>] 6?/ e^(a)(T)(M) = a?, then = 2°*^, 64) G 0Jt(^). 

This last result allows us to prove the Truth Lemma also for C + {A). 

Lemma 4.6 (Truth Lemma). If 4> G £ + [tp], tfien [M^T |= iff GT]. 

Proof. In addition to the proof of Lemma I3.10I we need to prove the case 4> = M®(j)' . 
(=>■) Suppose that M.^,Y \= 4> and <f> f- T. Hence -Hp G T. Let v = max{r G Q p | 
-iM?(j)' G T}. Then, from -.M r a <// G T, we obtain r < v. But Al,/,,r |= M?(j)' is equivalent 
with (a) (r) (I^>']) < r, i.e. aJ^, < r. On the other hand, from Lemma 14.4} a^, > v - 
contradiction. 

(«=) If M r V G T, then r > and r > 0^ (a) (T) ([</>]). Hence, A^.T (= M r a 0. □ 

As before, the truth lemma implies the finite model property and the weak completeness 
theorem for C + (A) with Markovian semantics. 

Theorem 4.7 (Finite Model Property). For any C + (A) -consistent formula 4>, there exists 
Ai G 9Jl(A) with finite support of cardinality bound by the structure of 4>, and there exists 
m G supp(A4) such that A4,m \= (p. 

Theorem 4.8 (Weak Completeness). The axiomatic system of C + (A) is weak complete 
with respect to the Markovian semantics, i.e. if \= ip, then h ip. 

Remark 4.9. Before ending this section we shall insist on the fact that the finite model 
construction for C + (A), as for C(A), is parametric in p and that the choice of p is not 
unique. As before, if -0 is a consistent formula and M.^ = (O p [*0], 2 np ^, 6^) G Wl(A) is 
(one of) its finite model(s), then we call p the parameter of M.^, denoted by par(A4^). 

5. Strong completeness of Markovian Logics and their canonical models 

In this section we address the problem of strong completeness, both for C(A) and C + {A). 
The strong completeness requires to prove that any consistent theory V is satisfied by some 
model (process). The Markovian logics with the axiomatizations presented in the previous 
sections are not strongly complete and in order gain this property one needs to enrich 
the axiomatic systems with the so-called Countable Additivity Rule and to assume the 
Lindembaum property that every consistent set of formulas (in the new axiomatic system) 
has a maximally consistent extension. The adoption of the Lindembaum property as a 
postulate rather than a property to be proved was firstly proposed by Goldblatt in |GollO] 
where he shows that this choice is unavoidable in order to achieve the strong completeness 
of such logics for coalgebras over measurable spaces. In the absence of these assumptions, 
one cannot build a a canonic model from maximally consistent sets of formulas. Instead, the 
canonical models can only be constructed from truth sets (sets satisfied by some process), 
as done in [Aum99b| IMV 06] . Zhou proves in [Zholl] that for such logics the class of of 
truth sets of formulas is a proper subclass of that of maximally consistent sets of formulas. 

In this paper we are interested in the strong completeness and in constructing canonical 
models from maximally consistent sets of formulas that will eventually provide us a useful 
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tool for studying metric properties of the space of logical formulas. To accomplish this, we 
assume in what follow the Lindembaum property and we consider the concept of provability 
obtained by enriching the axiomatic systems in Table [T] and Table [3] with the Boolean rules 
for infinitary deduction and Countable Additivity Rule (CAR) stated below. The results 
and the constructions presented in this section can be developed in a similar manner for 
both C(A) and C + {A) and for this reason in what follows we use C to range over the set 
{C(A), C + (A)} and we present the arguments at this level of generality. 

Given an arbitrary set 3> C C of formulas, let f\ denote the set of the (finite) conjunc- 
tions of the elements of $ and for arbitrary a £ A and r G Q + , let = {L^(p \ <fi £ <!>}. 

(CAR): For arbitrary $ C C and 4> £ £, $ h <f) implies L a r f\ $ h L a r <f>. 
For the beginning we shall prove the soundness of (CAR) for the Markovian semantics. 
Theorem 5.1 (Soundness of (CAR)). 

For arbitrary <3? C C and <j) G C, $ |= <f> implies L a r /\ $ \= L a r 4>. 

Proof. Let [<&] be the set of models satisfying all the formulas of <3?. 

Consider an arbitrary CMP (M,m) G y$(A) with M = (M, E, 6), such that (M, m) \= 
Lf,&. This means that for each finite conjunction tp of elements of $ we have that (A4,m) \= 
Lyip, which is equivalent to 6(a)(m)({tp}) > r. 

Suppose that V $ = fa, ...} and for each i € N, let ipi = faA...A(f>i. Observe that for 
each i, M 5 and pH^l = M- Consequently, lim 0(a)(m)(M) = 0(a)(m)([*]). 

Since for each i, ipi G <3?, we have that 0(a)(m)(|y>j]]) > r implying lim 0(a)(m)([-0j]]) > 

i— >oo 

r. Hence, 0(a)(m)([$]) > r. 

Further, observe that $ \= <f> means that [<&] C [0J. Hence, 0(a)(m)([0]) > r. □ 

In what follows we concentrate on proving the strong completeness. We reuse some of 
the notation introduced in the previous sections. 

Let fi be the set of /^-maximally consistent sets of formulas. For arbitrary <f> G C, let 
(|0D = {$ G n | 4> G $} and fl£|) = | G C}. 

Similar results with the ones in Lemma 13.61 and Lemma 14.41 can be proved for this 
extended concept of consistency and using them, we can define for arbitrary <J> G f2, a G A 
and 4> G £, 

oj = sup{r 6Q:L r >6$} = in/{r G Q : G $} = 

in/{r G Q : M?<f> G $} = sup{r G Q : ->M r °0 G $}. 
This allows us to prove the existence of the canonical model for £ G {C(A) , C + (A)} . In the 
next theorem (\C\j a denotes the sigma-algebra induced by <\C\). 

Theorem 5.2 (Canonical Model). With the previous notation, M.c = (fl, d£D CT , 6c) € 
SDT(^), w/iere 6>£ : A ->■ [SI -s- A(0, d£|T)] is defined for arbitrary a € A, $ £ £1 and <j) £ C 
by 6c(a)(mM) = 4- 

Proof. This proof is similar to the proofs of the Theorems 13.81 and 14.51 The only additional 
things to prove are that (fl, d>C|) cr ) is an analytic space and the countable-additivity for the 
functions 9c{a)(<&) required to guarantee that these functions are indeed measures. These 
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results were not necessary for the Theorems 13,81 and 14.51 because the supports of the finite 
models were finite and consequently also their cr-algebras. 

That (f2, l\£\)' 7 ) ^ s an ana lytic space derives from the fact that it is a Polish space, and 
this can be proved as in |ZY12j . Corollary 4.5. 

From the proof of Lemma [3. 71 which can be reproduced identically for our case, we know 
that for arbitrary <3? E $7 and a £ A, O c {a)(^) is finitely additive on fl£|) and 0£(a)(<J>)(0) = 
(because [_L]] = 0). Since fl£|) is a field, in order to prove that #c(a)(<I>) can be uniquely 
extended to a metric on (\£\) a , it is sufficient to prove that 0£(a)(<&) is continuous from above 
in on (\£\), as stated in Lemma 10.81 

Let * = {"01,^2, •••} Q £ be such that for each i £ N, (fo% 5 Wi+l an d = 0- 

Let Xj = 0£(a)( < I ) )((|V ; jD)- To prove that Oc(a)($) is continuous from above in 0, it is 
sufficient to prove that lim x% = 0. 

i— >oo 

Since 0c(a)($) is positive and monotone, there exists y = lim x^. Suppose that y ^ 0; 

i— >oo 

then, there exists a rational p such that < p < y. From here we obtain that there exists 
a j such that for each i > j, Xi > p; we can assume, without loosing generality, that j = 1. 
Hence, -LpV'i E $ for each i. 

Observe that since dV'Di D d^Di+fc for each i, k £ N, (ft £ /\ ^ implies that there exists 
k £ N such that (ft = iftk- Consequently, [Lptfti £ $ for each i E N] guarantees that Lp 1 ^ C 
Hence, must be consistent (as a subset of a consistent set). 

Because p > 0, \f Lp_L and using (CAR), ^ 1/ _L. Hence, ^ is consistent and using 

Lindenbaum property, there exists E O such that \P C But then <!>' E f^OV'iD) 

ieN 

contradicting the hypothesis that f^dV'Di = 0- 

This concludes the proof that y = and 0c(a)($>) is continuous from above in on 

(\£l ~ □ 

Notice in the previous proof the central role played by (CAR) and Lindenbaum property. 
In the previous version of this paper [CLMlla] we have omitted these aspects. 

The existence of the canonical models allows us to prove the most general truth lemma. 

Lemma 5.3 (Extended Truth Lemma). With the previous notations, for arbitrary (ft £ £ 
and & £ Q, 

Mc,® ^<ftiff(ft£$. 

Proof. Due to the way we have used the ^-maximally consistent sets to construct the finite 
model, the proof of this lemma derives from the proofs of the other truth lemmas 13.101 and 

31 □ 



We conclude this section with the Strong Completeness Theorem that is a straightfor- 
ward consequence of the previous lemma and the Lindenbaum property. 

Theorem 5.4 (Strong Completeness). For arbitrary (ft £ £ and arbitrary consistent set 
$Q£, 

$\=(f>iff$h(ft. 
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6. From bisimulation to the metric space of logical formulas 

One of the main motivation for studying quantitative logics for probabilistic and stochastic 
processes was, since the first papers on this subject |LS91| . the characterization of stochas- 
tic/probabilistic bisimilarity. To start with, we state that a version of the Hennesy-Milner 
theorem holds for Markovian logic: the logical equivalences induced by C(A) and by C + (A) 
on the class of CMPs coincide with stochastic bisimilarity. The proof follows closely the 
proof of the corresponding result for probabilistic systems presented in [DEP98, Pan09] and 
for this reason we will not present it here. However, it consists in showing that the negation 
free- fragment of C(A) characterizes stochastic bisimilarity, while negation and do not 
differentiate bisimilar processes. 

Theorem 6.1 (Logical characterization of stochastic bisimilarity). 

Let M = (M,T,,t),M' = (M',S',r') G Wl(A), m G M and m' G M' . The following 
assertions are equivalent. 

(1) (M,m) ~ (M',m'); 

(2) For any 4> G C{A), M,m\=4> iff M',m' \= (f>; 

(3) For any (p G C + (A), M,m\= <j> iff M',m' \= (p. 

A consequence of the logical characterization of bisimulation is that any CMP is bisim- 
ilar to a CMP of the canonical model, as stated in the Representation Theorem stated 
below. This derives immediately from the logical characterization of bisimilarity and Ex- 
tended Truth Lemma. 

Theorem 6.2 (Representation Theorem). Any process P G *P(-4.) is bisimilar to some 
process (Mc,&) of the Canonical Model. More exactly, P ~ (A4c,&) where $ = {4> G C \ 

The concept of stochastic/probabilistic bisimilarity is however a very strict concept: 
it only verifies whether two processes have identical behaviours. In applications we need 
instead to know whether two processes that may differ by a small amount in the real-valued 
parameters (rates or probabilities) have similar behaviours. To solve this problem a class 
of pseudometrics have been proposed in the literature |DGJP04t IPan091 IvBWOlt |vB+03| , 
to measure how similar two processes are in terms of stochastic/probabilistic behaviour. 
Because these pseudometrics are quantitative relaxations of the bisimulation relation, they 
can be defined relying on the Markovian logics. Since in what follows the development 
works identically both for C{A) and C + (A), we simply use C to denote any of the two. 

Formally, for the class ^3(-4) of Markov processes and for the Markovian logic C, the 
behavioural pseudometric can be induced by a function d : *P(-4.) x C — > R + which extends 
the (characteristic function of the) satisfiability relation \=: ^{A) x£ — > {0, 1}. The function 
d quantifies with strictly positive numbers the situations in which a process does not satisfy 
a property |DCJP041 IP1m09] . 

To exemplify, in this paper we work with the function d : *P(-4.) x C — > M + , defined 
below for the set <#(A) of CMPs and C G {C+(A), C(A)}. 

d((M,m),T) = 0, 

d((M,m), -.0) = 1 - d{(M, m), 0), 

d((M, m), 4> A V>) = max{d{(M,m),4>), d((M , m) , ip)} , 

d((M,m),L?cf>) = (r,e(a)(m)(l<t>})), 
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d[{M,m) : M?<t>) = <%)(m)(M),r), 
where for arbitrary r, s £ R + , 

, . j r — s if r — s > 
* ' ' [0 otherwise 

The results presented in this section relay on the fact that d, as most of the functions that 
quantify satisfiability for stochastic or probabilistic logics, is defined on top of the transition 
function 9. For this reason, these results can be similarly proved for other bisimulation 
pseudometrics. 

The first result states that d characterizes stochastic bisimilarity. 

Lemma 6.3. If (M,m),(M' ,m') £ S $(A), then 

(M,m) ~ (M',m) iff [V</> £ C, d((M,m), 4>) = d((M',m'), </>)]. 

Proof. (=^-) Induction on (j). The Boolean cases are trivial and the cases 4> = L^ip and 
4> = M?ip derive from the fact that 0(a)(ro)(M) = 0'(a)(m')(M). 
{-^=) For an arbitrary 4> £ C and a £ A, we have that for all r £ Q + , 

d((M,m), L a r 4>) = d((M', m'), L»; 

and for r big enough 

d((M,m),L a r ct>) = r-e(a)(m)m) , <K(M' ,m'), L» = r - 0'(a)(m')(M). 
Hence, 6* (a) (m) ([0]) = #'( a )( m ')(M) which implies (M,m) ~ (.A/f',m/). □ 

As we have anticipated, a function d : *P(-4) x C — > M + which characterizes bisimulation 
in the sense of Lemma 16.31 induces a distance between stochastic processes, 

D : *p(A) x y(A) -> R + 

defined for arbitrary P, P' £ *$(A) by 

D{P,P') = su P {\d{P,4>) - d{P' ^)\,<P £ C}. 

The next lemma states that D is a pseudometric and its kernel is the stochastic bisimilarity. 

Lemma 6.4. The function D : ^(A) x ^3(«4.) —> M + defined before is a pseudometric such 
that 

D(P,P') =QiffP~P r . 

Proof. Obviously D is symmetric. We prove the triangle inequality. For arbitrary P,Q,R £ 
?($(A) and (j) £ C, we have the following inequalities 

\d(P, 4>) -d{Q,4>)\ < \d(P, </,) - d(R, <f>) I + \d(R, <t>) - d(Q, <t>) | , 

sup \d(P, <P) - d(Q, <P)\ < sup(|d(P, 0) - d(R, <f>)\ + \d(R, 0) - d(Q, 0)|), 
4>&c </>e£ 

sup|d(P,0) -d(Q,<f>)\ < sup|d(P,0) -d(R,4>) \ + sup \d(R, 0) -d(Q,0)|. 

<t>ec <j>ec 4>&c 

Hence, D(P, Q) < D(P, R) + D(R, Q). 

Now we prove that the kernel of D is bisimulation. 
If P ~ P', Lemma 16.31 guarantees that for any cp £ C, d(P,<p) = d(P',<p) implying that 
sup \d(P,<f>) -d{P',<j))\ =0. 

Reverse, if sup|d(P, 4>) — d(P',4>)\ = 0, then for any <f> £ C, d(P,(f>) = d(P',(f>) and Lemma 
4>&c 

16.31 guarantees that P ~ P'. □ 
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Similarly, one can use d to define a pseudometric d : C X L — )■ [0, 1] over the space of 
logical formulas by 

d(<£,i/>) = sup{\d(P,<t)) - d(P,i/>)\,P G W(A)}, for arbitrary <j>, ip G £. 
Lemma 6.5. T/ie function d : £ x £ — > [0, 1] defined before is a pseudometric and 

3(0,V)=5H>,-V)- 

Proof. We prove that it satisfies the triangle inequality. We have 

sup |d(P, <f>) - d(P, V) | + sup \d(P, ij>) - d{P, p) I > 
P&${A) Pe¥(A) 

sup (\d(P,</>)-d(P,ifi\ + \d(P,i/>)-d(P,p)\)> sup |d(P,$-d(P,p)|. □ 

This construction allows us to introduce the first robustness theorem stating that the per- 
turbation of a logical property bounds the effect on the function d. 

Theorem 6.6 (Strong Robustness). For arbitrary <p,ip G C and P G ?($(A), 

d(P,V) <<P,0)+3(0,V). 

Proof. Prom the definition of d we have that d(P, ip) — d(P, <p) < d((p, ip). O 

Notice the importance of this result: while the values of d depend on the model, d refers 
exclusively to logical properties and it is, apparently, independent of the model. The proof 
of this independence is not trivial and we will not present it here; for this proof the reader is 
referred to [LMP12b]. If one can evaluate d independently of the model, then this theorem 
can be used in many applications where one needs to evaluate the value of d for extremely 
large systems. Using maybe techniques such as statistical model checking, one can get an 
evaluation of d(P, </>) and further use our robustness theorem to get boundaries for d(P, ip) 
for arbitrary ip G C 

Similar constructions can be done for any class of stochastic or probabilistic models for 
which a correspondent logic that characterizes bisimulation has been defined. But despite 
the obvious utility of the robustness theorem, in most of the cases such a result is not 
computable due to the definition of d that involves the quantification over the entire class 
of continuous Markov processes. 

This is exactly where the weak and strong complete axiomatizations of C{A) and C + (A) 
and the finite model properties play their role. In what follows, we use the construction of 
the finite model for an /^-consistent formula presented in the previous sections to effectively 
compute an approximation of d within a given error e > 0. Below we reuse the notations 
of the finite model constructions introduced in Section [3] and Section [H 

The next lemma states that d can be characterized using the processes of the canonical 
model Mc- m this way, it implicitly relates d to provability, since these processes are 
/^-maximally consistent sets of formulas. 

Lemma 6.7. With the previously used notations, for arbitrary (p,ip G C, 
d(4>, = sup \d((M c , *), 4>) ~ d((M c , *), 

Proof. Any (A4, m) G 9Jl(A) satisfies a maximally-consistent set of formulas, hence there ex- 
ists $ G such that (M,m) ~ (Mc,®), i.e., for any <f> G C, d((M,m),(p) = d((Mc,®),4>)- 

□ 
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In what follows we reduce the quantification space in the characterization of d presented 
in the previous lemma from to the domain of a finite model. Central for this is the 
construction of the finite model for a consistent formula. 

For an arbitrary consistent formula ift £ £, let M^p = (£l p [ip], 2 n ^\ 0$) <E Wl(A) be the 
model of ip constructed in the previous section; and let p = par{M^,) be the parameter of 
M.^ discussed in Remark 13.91 and Remark 14.91 

Let d : £[4>} x £bP] ~ ► ^ + be defined, for arbitrary eft, eft' £ C[ij}], as follows. 

d{<f>,<f>')= max \d((Mtp,T),(f>) - d((M$,T),(f>')\. 
ref2 p [V>] 

Notice that d is similar to d except that it takes the supremum over a finite set of processes, 
hence, a maximum. There is however a strong relation between d and d involving the 
parameter par(M^p), as described in the next lemma. 

Lemma 6.8. With the notations previously introduced, for arbitrary (j),(f)' € C[ip], 

3(^)<d(0,0') + 2/P- 
Proof. To prove the inequality, we prove first that for arbitrary <f> £ C[ip], 

\d((M £ , r°°), 0) - d((M^,r), 0)1 < i/p, 

where we reuse the notation of the finite model construction. We do the proof by induction 
on (p. 

The case = T: d((M c , L°°), T) = d((M^,T), T) = 0. 

The case cp = ^<f>': \d((M.£,T°°), 4>) - d((M^,T),<t))\ = |1 - d((M c , T°°), - 1 + 
d((A4^p, T), tp)\ = \d((A4c, r°°), ip) — d((A4^p,T),7p)\. And now we can apply the inductive 
hypothesis. 

The case (ft = cfi' A eft": \d((M c , T°°), <p' A 4>") - d{{M^, Y),# A <f>")\ = 

\max{d((Mc, r°°), <f/), d((Mc,r°°), <£")} - maar{d((A^, T), 0'), d((M^ T), <j>")}\ < 1/p, 

since |d((^,r oo ),</)')-d((M V) ,r),0')| < 1/pand \d((M C , T°°), <f>") - d{{M^, V), f)\ < 
1/p from the inductive hypothesis. 

The case (f> = Lf;<j)': Since T C r°°, from the way we constructed we obtain that 

|^(a)(r)(M)-^(a)(r~)(M)|<l/p. 

• If r < ^(a)(r°°)(M) < ^(a)(r)([0'l), then ^(McT 00 ),!^') = d((A^,r),L^) = 
0, hence, \d{(M c , T°°), L?<f/) - d((M^,T), L$tf)\ = 0. 

• If 0£(a)(r°°)([(//fl) < r < 0^(a)(r)([^]), then we have d((Ai^,r),L^) = and 
d((^,r°°),L^') = r-^(a)(r°°)([0l), hence, |d((Mc, r°°), L«^) -d{{M^ T), L r V)| = 
r - 0£(a)(r°°)(M) < ^(a)(r)(M) - ^(a)(r°°)(M) < 

. If ^(o)(r°°)(M) < ^(a)(r)([0']) < r, then d((M^, T), L*tf) = r - fy,(a)(r) ([[<£']] ) and 
d((Mc,r°°),-W) =r-^(o)(r oo )(M), hence, |d((Mc, r°°), L«^) -d((A^, r),L^')l = 
|(r - ^(«)(r°°)(M)) - (r - ^(a)(r)([0D) = |^(a)(r)(M) - £ (a)(r-)([0'J)| < 1/p. 

• All the other sub cases are treated similarly. 

The case <f> = M®<f>'\ can be proved similarly to the case <f> = L^cj)'. 

Now we prove our inequality. Since d(d), 6') = max \d{(M.ih,T),(b) — d({M.^,Y), (f>')\, 

ren p [v>] 

there exists To € ^p[^] that realizes this maximum. 

Using the inequality that we just proved, we obtain that for arbitrary T 6 

\d{{Mc,T°°),<t>) ~ d((Mc,r°°),^)l < \d((M^,T),0) - d((M^T)A')\ + 2/p, 
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and since To realizes the maximum, 

|d((Mc,r°°), <f>) - d((M c , r°°), 0')l < |d((A^, r ), <£) - d((M f ,r ), cj>')\ + 2/p. 

Because this inequality is satisfied by any T, we can take it to the limit and obtain 

sup \d((Mc,T°°),<f>) - d({M £ ,r°°),tf)\ < \d((M^,T Q ),<P) ~ d((M^,T ),<f>')\ + 2/p, 
r°°gn 

i.e.,d(<f>,<f> , )<d(<t>,<fJ) + 2/p. 

□ 

This last result finally allows us to prove a weaker version of the robustness theorem 
which evaluates d((A4,m),ip) from d((M,m),4>), based on d(4>,ip) and a given error. 

Theorem 6.9 (Weak Robustness). For an arbitrary consistent formula tp £ C, arbitrary 
(j), 4>' € £[ip] and arbitrary P G ^(.4,), 

d(P,<f>)<d(P,<l>') + d(<l>,<j/) + 2/p, 

where p = par{M.^p). 

Proof. The result derives from combining the Strong Robustness Theorem with Lemma [6.81 

□ 

The Weak Robustness Theorem is a very useful tool to estimate d{P, cp) given d(P, 4>') 
within a given error 2/p. With respect to the Strong Robustness Theorem, it guarantees that 
the evaluation can be done in finite time, since d requires to investigate a finite CMP. The 
finite model construction can be used to provide an algorithm for computing the parameter 
p. A similar algorithm for probabilistic case can be find in [FHM90] . 

7. Conclusions and related works 

We have introduced Continuous Markovian Logic, a multimodal logic designed to specify 
quantitative and qualitative properties of continuous Markov processes. CML is endowed 
with operators that approximate the rates of the labelled transitions of CMPs. This logic 
characterizes the stochastic bisimilarity of CMPs. 

We have presented weak and strong complete axiomatizations for the entire logic as 
well as for its fragment without M"-operators. These axiomatic systems are significantly 
different from the probabilistic case and from each other. The weak completeness proofs 
relay on the finite model properties. The constructions of the finite models adapts the 
filtration method of modal logics to stochastic settings, where a series of specific problems 
had to be solved. The finite model constructions and the complete axiomatizations allow 
us to approach the problems of approximating bisimulation-distances and to prove a series 
of new results such as the robustness theorems. 

This paper opens a series of interesting research questions regarding the relationship 
between satisfiability, provability and metric semantics. There are many open questions 
related to the definition of d and to the structure of the metric space of formulas. One of the 
problems, that we postpone for future work, is finding a classification of the functions d to 
reflect properties of d. For instance, in collaboration with Prakash Panangaden [LM P12b| . 
we have proven that if d satisfies some specific continuity conditions, then d characterizes 
the logical equivalence between formulas without negation in the probabilistic case and 
between formulas without negation and without operators in the stochastic case, i.e., 
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only for some special and ip we have [d((f>, tp) = iff h (j> -H- tp] . However, the problem of 
finding a formal characterization of the kernel of d remains open. In the same paper we gave 
topological characterizations of the pseudometric space of logical formulas for probabilistic 
and for the Markovian logics. At the topological level one can see better the differences 
between the two logics. For the probabilistic logic the situation is quite simple: the set [[(/>]] 
of models satisfying <f> is closed whenever <f> does not involve negation and open otherwise. 
For the Markovian logics the situation is much more complicated and the sets \<p\ can, in 
various cases, produce open, closed, G$ or F a sets of models^. 

There exist, however, distances enjoying even stronger properties such as [|= <p — > ip iff 
VP € yp(A), d(P,ifj) < d(P,4>)]. Each of these metrics organizes the set of logical formulas 
as a pseudometric space with specific topological properties. The complete axiomatization 
is probably the key for classifying such structures and for understanding the relationship 
between the topological space of models and the topological space of logical formulas. 
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